﻿
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<!-- saved from url=(0014)about:internet -->
<html xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:mssdk="winsdk" xmlns:script="urn:script" xmlns:build="urn:build" xmlns:MSHelp="http://msdn.microsoft.com/mshelp">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<meta name="Description" content="Using PoolMon to Find a Kernel-Mode Memory Leak"/>
<meta name="MSHAttr" content="PreferredSiteName:MSDN"/>
<meta name="MSHAttr" content="PreferredLib:/library/windows/hardware"/>
<title>Using PoolMon to Find a Kernel-Mode Memory Leak</title>

<meta name="MS-HAID" content="t13_advanced_2e1b1c13-0c48-4b86-a09e-c37a9939107b.xml"/>


<link rel="STYLESHEET" type="text/css" HREF="../common/backsdk4.css"/>





<style>
html,div { margin: 0; padding: 0;}

body {
	padding: 0px;
	margin: 0px;
	overflow: auto;
	height: 100%;
}

#winchm_template_button{
	float: right;
	width: 93px;
	top: 7px;
	position: relative;
	text-align: right;
	right: 5px;
	height: auto;
}

#winchm_template_top{
	padding: 0px;
	margin: 0px;
	border-bottom: 1px solid #9B9B9B;
	background-color: #B1CEFE;
}

#winchm_template_navigation{
	margin: 0px;
	padding-top: 7px;
	padding-left: 7px;
	padding-bottom: 3px;
	padding-right: 0px;
	font-size: 8.5pt;
	font-family: Arial, Helvetica, sans-serif;
	font-weight: normal;
	color: #585858;
}

#winchm_template_title{
	margin: 0px;
	padding-top: 4px;
	padding-left: 7px;
	padding-bottom: 7px;
	padding-right: 0px;
	font-size: 18px; 
	font-family: Verdana, Geneva, sans-serif;
	color: #363636;
}

#winchm_template_content{
	margin-top: 20px;
	margin-left: 15px;
	margin-bottom: 20px;
	margin-right: 15px;
	width: auto  !important;
	width: 100%;
}

#winchm_template_footer{
	border-width: 1px;
	border-color: #B1CEFE;
	border-top-style: solid;
	margin-top: 15px;
	margin-left: 15px;
	margin-bottom: 20px;
	margin-right: 15px;
	padding-top: 7px;
	padding-left: 0px;
	padding-bottom: 0px;
	padding-right: 0px;
	font-family: arial, helvetica, sans-serif;
	font-size: 8.5pt;
	color: #696969;
	width: auto;
	text-align: left;
}


#winchm_template_container{
	margin: 0px;
	padding: 0px;
	position: static;
	padding-bottom: 3px;
	overflow: auto;
	background-color: #FFFFFF;
}


@media print
{
#winchm_template_container{
	position: static;	
	margin: 0px;
	padding: 5px;
	
	width: auto;
	height: auto;
	overflow: auto;
}
#winchm_template_button{
visibility:hidden;
}
}

#winchm_template_navigation A:link	{text-decoration: none; color:#004080}
#winchm_template_navigation A:visited  {text-decoration: none; color: #004080}
#winchm_template_navigation A:active {text-decoration: none; color: #004080 }
#winchm_template_navigation A:hover {text-decoration: none;color: #0080FF}

A:link	{text-decoration: underline; color:#0033CC}
A:visited  {text-decoration: underline; color: #0033CC}
A:active {text-decoration: underline; color: #0033CC }
A:hover {text-decoration: underline;color: #FF0000;}
</style>
<script type="text/javascript">
function isMobile(){
Agent = window.navigator.userAgent;
if (Agent.indexOf("iPhone")>=1 || Agent.indexOf("iPad")>=1 || Agent.indexOf("iPod")>=1 || Agent.indexOf("Android")>=1){
return true;
}else{
return false;	
}

}
function d_onresize(){
if (window.navigator.userAgent.indexOf("MSIE")>=1){
document.getElementById('winchm_template_container').style.pixelWidth = document.body.offsetWidth - 3;
document.getElementById('winchm_template_container').style.pixelHeight = document.body.offsetHeight - document.getElementById('winchm_template_top').offsetHeight - 4;
}
document.getElementById('winchm_template_container').style.top = document.getElementById('winchm_template_top').offsetHeight + 'px';
}

function d_onbeforeprint(){
document.getElementById('winchm_template_container').style.width = 'auto';
document.getElementById('winchm_template_container').style.height = 'auto';
}

function d_onafterprint(){
d_onresize();
}

if(!isMobile()){

window.onload = d_onresize;
window.onresize = d_onresize;
window.onbeforeprint = d_onbeforeprint;
window.onafterprint = d_onafterprint;

document.write("<style>\n");
document.write("body {overflow: hidden;}\n");
document.write("#winchm_template_container {position: absolute;overflow: auto;top : 0px;right: 0px;bottom: 0px;left: 0px;}\n");
document.write("</style>\n");
}

</script>
</head>
<body><script language="JavaScript" type="text/JavaScript">
function syn(){
if(parent.nav.tree){
 if(parent.nav.tree.loaded){
  parent.nav.tree.selectNode(1390);
 }else{
  setTimeout("syn()",500);
}
  }else{
  setTimeout("syn()",500);
  }}
if(parent!=self){
  setTimeout("syn()",100);
}else{
  parent.location.href = "../../index.htm?page=debugger/using_poolmon_to_find_a_kernel_mode_memory_leak.htm";
}
originalOnload = window.onload;
if(originalOnload==null){
window.onload = function(){parent.contentLoaded = true;};
}else{
window.onload = function(){originalOnload();parent.contentLoaded = true;};
}
</script> 


<div id="winchm_template_top">
	<div id="winchm_template_button"><A href="finding_a_kernel_mode_memory_leak.htm" title="Previous topic"><img id="winchm_template_prev" alt="Previous topic" src="../template2/btn_prev_n.gif" border="0"></a><A href="using_the_kernel_debugger_to_find_a_kernel_mode_memory_leak.htm" title="Next topic"><img id="winchm_template_next" alt="Next topic" src="../template2/btn_next_n.gif" border="0"></a></div>
	<div id="winchm_template_navigation">Help &gt; 
<A href="introduction6.htm">Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)</A> &gt; <A href="debugging_techniques.htm">Debugging Techniques</A> &gt; <A href="standard_debugging_techniques.htm">Standard Debugging Techniques</A> &gt; <A href="finding_a_memory_leak.htm">Finding a Memory Leak</A> &gt; <A href="finding_a_kernel_mode_memory_leak.htm">Finding a Kernel-Mode Memory Leak</A> &gt; </div>
	<div id="winchm_template_title">Using PoolMon to Find a Kernel-Mode Memory Leak</div>
</div>
<div id="winchm_template_container">
	<div id="winchm_template_content"><div id="mainSection"><p>If you suspect there is a kernel-mode memory leak, the easiest way to determine which pool tag is associated with the leak is to use the PoolMon tool.</p>
<p>PoolMon (Poolmon.exe) monitors pool memory usage by pool tag name. This tool is included in the Windows Driver Kit (WDK). For a full description, see <a href="http://go.microsoft.com/fwlink/p/?linkid=122776">PoolMon</a> in the WDK documentation. </p>
<h3><a id="enable_pool_tagging__windows_2000_and_windows_xp_"></a><a id="ENABLE_POOL_TAGGING__WINDOWS_2000_AND_WINDOWS_XP_"></a>Enable Pool Tagging (Windows 2000 and Windows XP)</h3>
<p>On Windows 2000 and Windows XP you must first use GFlags to enable pool tagging. GFlags is included in Debugging Tools for Windows. Start GFlags, choose the <b>System Registry</b> tab, check the <b>Enable Pool Tagging</b> box, and then click <b>Apply</b>. You must restart Windows for this setting to take effect. For more details, see <a href="#Bookmark36">GFlags</a>.</p>
<p>On Windows Server 2003 and later versions of Windows, pool tagging is always enabled. </p>
<h3><a id="using_poolmon"></a><a id="USING_POOLMON"></a>Using PoolMon</h3>
<p>The PoolMon header displays the total paged and non-paged pool bytes. The columns show pool use for each pool tag. The display is updated automatically every few seconds. For example:</p>
<pre class="syntax" xml:space="preserve"><code>Memory: 16224K Avail: 4564K PageFlts: 31 InRam Krnl: 684K P: 680K
Commit: 24140K Limit: 24952K Peak: 24932K Pool N: 744K P: 2180K

Tag   Type  Allocs       Frees        Diff    Bytes       Per Alloc
-----------------------------------------------------------------------

CM    Paged   1283  ( 0)  1002  ( 0)   281  1377312   ( 0)  4901
Strg  Paged  10385 ( 10)  6658  ( 4)  3727   317952 ( 512)    85
Fat   Paged   6662  ( 8)  4971  ( 6)  1691   174560 ( 128)   103
MmSt  Paged    614  ( 0)   441  ( 0)   173    83456   ( 0)   482 </code></pre>
<p>PoolMon has command keys that sort the output according to various criteria. Press the letter associated with each command in order to re-sort the data. It takes a few seconds for each command to work. </p>
<p>The sort commands include:</p>
<table>
<tr>
<th>
       Command Key
       
      </th>
<th>
       Operation
       
      </th>
</tr>
<tr>
<td>
<p><b>P</b></p>
</td>
<td>
<p>Limits the tags shown to nonpaged pool, paged pool, or both. Repeatedly pressing <b>P</b> cycles through each of these options, in that order.</p>
</td>
</tr>
<tr>
<td>
<p><b>B</b></p>
</td>
<td>
<p>Sorts tags by maximum byte usage.</p>
</td>
</tr>
<tr>
<td>
<p><b>M</b></p>
</td>
<td>
<p>Sorts tags by maximum byte allocations.</p>
</td>
</tr>
<tr>
<td>
<p><b>T</b></p>
</td>
<td>
<p>Sorts tags alphabetically by tag name.</p>
</td>
</tr>
<tr>
<td>
<p><b>E</b></p>
</td>
<td>
<p>Causes the display to include the paged and non-paged totals across the bottom.</p>
</td>
</tr>
<tr>
<td>
<p><b>A</b></p>
</td>
<td>
<p>Sorts tags by allocation size.</p>
</td>
</tr>
<tr>
<td>
<p><b>F</b></p>
</td>
<td>
<p>Sorts tags by free operations.</p>
</td>
</tr>
<tr>
<td>
<p><b>S</b></p>
</td>
<td>
<p>Sorts tags by the difference between allocations and frees. </p>
</td>
</tr>
<tr>
<td>
<p><b>Q</b></p>
</td>
<td>
<p>Quits PoolMon.</p>
</td>
</tr>
</table>
<p> </p>
<h3><a id="using_the_poolmon_utility_to_find_a_memory_leak"></a><a id="USING_THE_POOLMON_UTILITY_TO_FIND_A_MEMORY_LEAK"></a>Using the PoolMon Utility to Find a Memory Leak</h3>
<p>To find a memory leak with the PoolMon utility, follow this procedure:</p>
<ol>
<li>
<p>Start PoolMon. </p>
</li>
<li>
<p>If you have determined that the leak is occurring in non-paged pool, press <b>P</b> once; if you have determined that it is occurring in paged pool, press <b>P</b> twice. If you do not know, do not press <b>P</b> and both kinds of pool are included. </p>
</li>
<li>
<p>Press <b>B</b> to sort the display by maximum byte use. </p>
</li>
<li>
<p>Start your test. Take a screen shot and copy it to Notepad. </p>
</li>
<li>
<p>Take a new screen shot every half hour. By comparing screen shots, determine which tag's bytes are increasing. </p>
</li>
<li>
<p>Stop your test and wait a few hours. How much of the tag was freed up in this time? </p>
</li>
</ol>
<p>Typically, after an application reaches a stable running state, it allocates memory and free memory at roughly the same rate. If it tends to allocate memory faster than it frees it, its memory use will grow over time. This often indicates a memory leak.</p>
<h3><a id="addressing_the_leak"></a><a id="ADDRESSING_THE_LEAK"></a>Addressing the Leak</h3>
<p>After you have determined which pool tag is associated with the leak, this might reveal all you need to know about the leak. If you need to determine which specific instance of the allocation routine is causing the leak, see <a href="#Bookmark1391">Using the Kernel Debugger to Find Kernel-Mode Memory Leaks</a>.</p></div></div>	
	<div id="winchm_template_footer">Copyright &copy; 2019. All rights 
reserved. (To change the copyright info, just edit it in template.)</div>
</div>

</body>
</html>
